Why this Fintech Chose Codacy Over SonarQube, Semgrep, and GitHub Advanced Security

In this article:
Subscribe to our blog:

Given the compliance-sensitive nature of financial services, this customer chose to share their story anonymously.

 

Learn how this fintech platform serving 70+ global financial institutions chose Codacy to move security from a periodic gate into a continuous habit for 150 engineers. We spoke with the company's Senior Director of Engineering about why point-in-time audits weren't enough, and how his team made secure coding part of the daily workflow.

  • 500+ repositories and 150 developers covered under Codacy
  • Quality gates at IDE, pull request, and stage release so developers catch issues in real time
  • 2-year commitment chosen over Semgrep, SonarQube, AquaSec, and GitHub Advanced Security

 

"Codacy is your buddy for securing the code and churning out high quality code at every stage of the life cycle." 

— Senior Director of Engineering

 

About the company

The company is a fintech platform trusted by 350,000+ users across 70+ global financial institutions, including major banks, insurance companies, and lending organizations. It provides Distribution and Collections Management System solutions for lending, agency, bancassurance, branch banking, and collections operations, and is backed by leading global venture and growth investors.

 

Challenge

A FinTech Needed Secure Code Practices Built Into the Entire SDLC

The company's Senior Director of Engineering has spent close to nine years there, rising into the role. In a startup where the engineering leader wears many hats, he oversees both engineering and security for the platform. His goal was to make secure coding a continuous habit for his developers, not something that only gets attention twice a year during an audit cycle. He wanted quality gates at every stage of the SDLC: while developers write code in their IDE, when they raise a pull request, and before anything reaches a stage release.

The reality at the time was that security checks happened late. The company's clients are large banks and insurance companies, and many require third-party audits conducted by certified vendors before they'll sign off on code health. That's standard practice in financial services. Twice a year, the engineering team went through an external audit cycle where preparation alone took four weeks. When auditors flagged observations, the team had to pause other priorities and focus on remediation, a process that stretched two to three months. Those findings weren't a reflection of the engineering team's ability. They were a result of security feedback arriving too late in the process for anyone to act on it efficiently.

Without automated scanning woven into the daily development workflow, there was also the risk that secrets, API keys, or passwords could end up in the codebase in plain text and sit undetected between audit windows. Even experienced reviewers can miss things when they're juggling multiple priorities. That kind of exposure could persist for months, potentially reaching front-end apps, API requests, and partner integrations. For him, this confirmed that point-in-time manual checks weren't enough. The team needed a tool that lived inside their workflow and caught issues as code was written.

 

"With Codacy, you don't need to look at things retrospectively. While you're coding, you're fixing issues organically versus trying to do one big push. That's not sustainable." 

 

The team had also tried open source scanning tools, but kept running into the same gap: the tools flagged errors and warnings without explaining what the findings meant or how to fix them. Developers were spending 30 minutes to an hour deciphering a single-line warning, and often still had no path forward. The team's leader needed a partner that could scan for both quality and security issues, provide fix guidance alongside every finding, and integrate into the development workflow so that secure coding became part of how the team writes code every day.

 

Solution

Codacy Gives the Team's Developers a Security Buddy at Every Step

The company evaluated GitHub Advanced Security, Semgrep, SonarQube, and AquaSec alongside Codacy. Several of those tools were built primarily for GitHub, which didn't work for the team since they run on Bitbucket. Codacy's native Bitbucket support stood out right away, but integration alone didn't close the deal. There were three other factors: the functionality, including SAST scanning, secret detection, and code quality analysis with actionable remediation guidance; the ease of connecting to their existing Bitbucket workflow; and the hands-on support from Codacy's team throughout the evaluation.

 

"When you're making a close decision, you go with the team that's more engaged, more responsive, and gets you answers fast. With Codacy, we got all three: easy integration with Bitbucket, real engagement from the team, and the functionality we needed." 

 

Codacy's solutions engineer worked directly with the Senior Director of Engineering to set up and test the IntelliJ plugin during a live session. He tried it himself and was able to see scanning results inside his IDE right away. For him, that was the proof point: if a developer can get real-time feedback on security and quality issues without leaving the tool they already work in, adoption follows naturally. The plugin turns Codacy into the "buddy" he had described, one that sits alongside the developer and helps them write better code as they go, rather than flagging problems after the fact.

Security was the primary driver, but Codacy's combined code quality and security capabilities added to the case. Instead of running separate tools for quality and security, the team could use one platform for both. He noted that Codacy "does a pretty deep job in terms of quality also, catching the standard ways and telling you the right way to code." That meant one less tool in the stack and one less integration to maintain.

The rollout covers 500+ repositories and 150 developers, with Codacy's quality gates deployed at the IDE, pull request, and stage release levels. Each gate catches a different class of issue at a different point in the workflow, so developers build secure coding habits incrementally rather than facing a wall of findings at the end.

 

Results

Security Becomes a Daily Practice, Not a Twice-a-Year Event

The company is currently onboarding and configuring Codacy across its repositories, with full rollout underway. The team plans to measure impact against their next external third-party audit, tracking both the total number of observations flagged and the time spent on remediation compared to previous cycles.

  • Secure coding practices embedded across the SDLC with automated scanning at IDE, PR, and release stages
  • Real-time remediation guidance so developers learn to fix security issues as they code
  • Automated secret detection catches exposed credentials before they persist between audit windows
  • Code quality and security unified in one platform, replacing the need for separate quality tooling

When he pitched the investment internally, it was framed around total cost of ownership. Source code scanning is a compliance requirement in fintech, so the question was never whether the company needed a tool. It was whether building and maintaining a homegrown solution made sense compared to working with a dedicated vendor. The team had already built some internal tools on top of open source, but when he laid out the developer salaries required for ongoing maintenance, the opportunity cost of pulling engineers off product work, and the reality that a homegrown tool would never keep pace with a platform like Codacy that ships continuous security updates, the answer was obvious to leadership.

Beyond the tooling, the Senior Director of Engineering sees the bigger win in how his developers are starting to relate to security. He's been a developer himself for most of his career, and his view is that engineers don't resist owning security when you give them the right support. What frustrates them is getting blocked right before a production release with findings they've never seen. With Codacy acting as a buddy throughout the development process, developers pick up security nuances organically. They learn what good patterns look like, what mistakes to avoid, and how to write more secure code by default. He sees that growth as what separates a good developer from a well-rounded engineer.

 

"A good engineer isn't just a developer or just QA. It's about how much they know beyond their own function: business, product, security, operations. Codacy helps our engineers get there. In that journey, they learn security nuances, and that adds real value to their careers."

 

Subscribe to our blog

Stay updated with our monthly newsletter.